API & authentication

Use the SteadyCron REST API with API keys — scopes, expiry, and how the dashboard, CLI, and API relate.

The dashboard, the CLI, and the public REST API are all built on the same endpoints — anything you can do in the UI, you can automate.

API keys

Programmatic access uses API keys. Create and manage them in the dashboard.

Keys are shown once at creation — store them securely.
Keys carry the prefix sc_ and are stored only as a hash on our side; we can’t recover the original.
Each key has a scope:
- Read-only — list and read jobs, executions, and pings.
- Full — read plus create, update, pause, and delete.
Keys can be given an expiry date and revoked at any time.

Pass a key as a bearer token:

curl https://api.steadycron.com/v1/jobs \
  -H "Authorization: Bearer sc_..."

Sensitive operations

For security, a few operations are cookie-only (dashboard-authenticated) and cannot be performed with an API key — managing API keys themselves, billing, and account-level settings. This limits the blast radius of a leaked key.

Heartbeat pings are unauthenticated

Ping endpoints (ping.steadycron.com) do not use your API key — the unique, unguessable token in the ping URL is the credential. This lets you ping from anywhere (a shell script, a container) without distributing API keys, and ping ingestion is rate-limited separately.

OpenAPI

The API is described by an OpenAPI document, so you can generate typed clients in your language of choice.

Next steps

Infrastructure as code — manage jobs from a YAML file.
Plans & limits